aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorSimon Horman <horms@verge.net.au>2009-05-06 11:02:29 -0400
committerDavid S. Miller <davem@davemloft.net>2009-05-08 17:54:47 -0400
commitbe8be9eccbf2d908a7e56b3f7a71105cd88da06b (patch)
tree0046061772516257c3bc6b63fdacee12dcd34e5d /net
parente81963b180ac502fda0326edf059b1e29cdef1a2 (diff)
ipvs: Fix IPv4 FWMARK virtual services
This fixes the use of fwmarks to denote IPv4 virtual services which was unfortunately broken as a result of the integration of IPv6 support into IPVS, which was included in 2.6.28. The problem arises because fwmarks are stored in the 4th octet of a union nf_inet_addr .all, however in the case of IPv4 only the first octet, corresponding to .ip, is assigned and compared. In other words, using .all = { 0, 0, 0, htonl(svc->fwmark) always results in a value of 0 (32bits) being stored for IPv4. This means that one fwmark can be used, as it ends up being mapped to 0, but things break down when multiple fwmarks are used, as they all end up being mapped to 0. As fwmarks are 32bits a reasonable fix seems to be to just store the fwmark in .ip, and comparing and storing .ip when fwmarks are used. This patch makes the assumption that in calls to ip_vs_ct_in_get() and ip_vs_sched_persist() if the proto parameter is IPPROTO_IP then we are dealing with an fwmark. I believe this is valid as ip_vs_in() does fairly strict filtering on the protocol and IPPROTO_IP should not be used in these calls unless explicitly passed when making these calls for fwmarks in ip_vs_sched_persist(). Tested-by: Fabien DuchĂȘne <fabien.duchene@student.uclouvain.be> Cc: Joseph Mack NA3T <jmack@wm7d.net> Cc: Julius Volz <julius.volz@gmail.com> Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/ipvs/ip_vs_conn.c9
-rw-r--r--net/netfilter/ipvs/ip_vs_core.c4
2 files changed, 9 insertions, 4 deletions
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index 60aba45023ff..77bfdfeb966e 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -260,7 +260,10 @@ struct ip_vs_conn *ip_vs_ct_in_get
260 list_for_each_entry(cp, &ip_vs_conn_tab[hash], c_list) { 260 list_for_each_entry(cp, &ip_vs_conn_tab[hash], c_list) {
261 if (cp->af == af && 261 if (cp->af == af &&
262 ip_vs_addr_equal(af, s_addr, &cp->caddr) && 262 ip_vs_addr_equal(af, s_addr, &cp->caddr) &&
263 ip_vs_addr_equal(af, d_addr, &cp->vaddr) && 263 /* protocol should only be IPPROTO_IP if
264 * d_addr is a fwmark */
265 ip_vs_addr_equal(protocol == IPPROTO_IP ? AF_UNSPEC : af,
266 d_addr, &cp->vaddr) &&
264 s_port == cp->cport && d_port == cp->vport && 267 s_port == cp->cport && d_port == cp->vport &&
265 cp->flags & IP_VS_CONN_F_TEMPLATE && 268 cp->flags & IP_VS_CONN_F_TEMPLATE &&
266 protocol == cp->protocol) { 269 protocol == cp->protocol) {
@@ -698,7 +701,9 @@ ip_vs_conn_new(int af, int proto, const union nf_inet_addr *caddr, __be16 cport,
698 cp->cport = cport; 701 cp->cport = cport;
699 ip_vs_addr_copy(af, &cp->vaddr, vaddr); 702 ip_vs_addr_copy(af, &cp->vaddr, vaddr);
700 cp->vport = vport; 703 cp->vport = vport;
701 ip_vs_addr_copy(af, &cp->daddr, daddr); 704 /* proto should only be IPPROTO_IP if d_addr is a fwmark */
705 ip_vs_addr_copy(proto == IPPROTO_IP ? AF_UNSPEC : af,
706 &cp->daddr, daddr);
702 cp->dport = dport; 707 cp->dport = dport;
703 cp->flags = flags; 708 cp->flags = flags;
704 spin_lock_init(&cp->lock); 709 spin_lock_init(&cp->lock);
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index cb3e031335eb..8dddb17a947a 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -278,7 +278,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
278 */ 278 */
279 if (svc->fwmark) { 279 if (svc->fwmark) {
280 union nf_inet_addr fwmark = { 280 union nf_inet_addr fwmark = {
281 .all = { 0, 0, 0, htonl(svc->fwmark) } 281 .ip = htonl(svc->fwmark)
282 }; 282 };
283 283
284 ct = ip_vs_ct_in_get(svc->af, IPPROTO_IP, &snet, 0, 284 ct = ip_vs_ct_in_get(svc->af, IPPROTO_IP, &snet, 0,
@@ -306,7 +306,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
306 */ 306 */
307 if (svc->fwmark) { 307 if (svc->fwmark) {
308 union nf_inet_addr fwmark = { 308 union nf_inet_addr fwmark = {
309 .all = { 0, 0, 0, htonl(svc->fwmark) } 309 .ip = htonl(svc->fwmark)
310 }; 310 };
311 311
312 ct = ip_vs_conn_new(svc->af, IPPROTO_IP, 312 ct = ip_vs_conn_new(svc->af, IPPROTO_IP,